I prefer simplicity and using the first example but I’d be happy to hear other options. Here’s a few examples:

HTTP/1.1 403 POST /endpoint
{ "message": "Unauthorized access" }
HTTP/1.1 403 POST /endpoint
Unauthorized access (no json)
HTTP/1.1 403 POST /endpoint
{ "error": "Unauthorized access" }
HTTP/1.1 403 POST /endpoint
{
  "code": "UNAUTHORIZED",
  "message": "Unauthorized access",
}
HTTP/1.1 200 (🤡) POST /endpoint
{
  "error": true,
  "message": "Unauthorized access",
}
HTTP/1.1 403 POST /endpoint
{
  "status": 403,
  "code": "UNAUTHORIZED",
  "message": "Unauthorized access",
}

Or your own example.

  • lengau@midwest.social
    link
    fedilink
    arrow-up
    12
    ·
    2 months ago

    At a previous job we had an unholy combination of the last two:

    HTTP/1.1 200 POST /endpoint 
    {
      "data": null,
      "errors": ["403", "unauthorized"],
      "success": false
    }
    
      • lemmyvore@feddit.nl
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        It’s a perfectly fine way of doing things as long as it’s consistent and the spec is clear.

        HTTP is a transport layer. You don’t have to use its codes for your application layer. It’s often done that way but it’s not the only way.

        In the example above the transport layer is saying “OK I’ve delivered your output” which is technically correct. It’s not concerned with logical errors inside what it was transporting, just with the delivery itself.